The Office of the Australian Information Commissioner suffers a data breach courtesy of the successful hacking of HWL Ebsworth. Hackers 1, regulator zero.

June 14, 2023 |

As they say, “you couldn’t make this up.” The Office of the Australian Information Commissioner has suffered a data breach according to the Australian’s Peak privacy agency the latest to fall victim to Russia-linked cybercrime gang through the hacking of of HWL Ebsworth’s website. The regulator has regularly engaged HWL Ebsworth to provide legal services. That entails providing information for use by the law firm. And it is at least some of the information that has been compromised. While the Commissioner cannot be blamed for providing information to its trusted legal advisor it might be interesting to know whether the Commissioner enquired of HWL Ebsworth the privacy training it did of its staff and the state of security of documents it held under its control. Normally a victim’s answers to such questions are unsatisfactory. The Commissioner is being tight lipped in its initial response. The concession was made that if personal information collected was compromised then those persons would be notified.

This must be mortifying for the Commissioner. 

At some point the Commissioner would need to provide more than guarded comments. There is a question of making the public trust the integrity of the system. if the nature of the HWL Ebsworth data breach warrants formal investigation by the Commissioner it will be interesting to see how it approaches that task given it is directly impacted by the firms possible mistakes.  It may fall to another party to undertake a review. 

The article provides:

The peak Australian government agency that monitors privacy breaches caused by cyber hacking has had its own data ­stolen by hackers – and has so far failed to notify potentially affected people about the risk to their privacy.

The Office of the Australian Information Commissioner has had data stolen by the Russian criminal ransomware gang known as BlackCat, or ALPHV. The hackers obtained the OAIC data after infiltrating the computer systems of blue-chip Australian legal firm HWL Ebsworth.

According to the OAIC website, examples of serious harm can include identity theft, fraud and financial loss, the likelihood of physical or psychological harm, or harm to a person’s reputation. It is not known when the OAIC discovered it had been hacked. The agency is headed by commissioner Angelene Falk.

A spokesperson said the OAIC systems had not been compromised, but confirmed some of the data it had provided to HWL Ebsworth had been compromised by the hackers.

“The OAIC can confirm that it is a legal client of HWL Ebsworth,’’ the spokesperson said.

“We have also been recently informed that some material provided to the firm has been compromised as a result of the cyberattack.

“The OAIC is in active dialogue with HWL Ebsworth to understand what information has been compromised.

“Consistent with requirements of the Notifiable Data Breaches scheme, any affected individuals will be notified.’’

The spokesperson did not answer questions about what data had been compromised.

HWL Ebsworth, which has done work for state and federal government agencies and large numbers of ASX top 50 companies, discovered it had been compromised in late April, and notified affected parties. It has since taken legal action to stop the hackers dumping data on the dark web. The cyber criminals have claimed to have stolen four terabytes of information, including financial information and credit-card numbers, and details about HWL Ebsworth’s clients.

The company has previously said it was working with OAIC – but it was not known until now that the privacy watchdog itself had suffered a data breach via the law firm’s compromise.

The OAIC monitors compliance with the breaches scheme, and tracks data breaches, which can occur through cyber hacking, loss of phones or other electronic devices, or a person’s private information being sent to the wrong person.

“When a data breach occurs, we expect an organisation or agency to try to reduce the chance that an individual experiences harm,’’ it says on its website.

“If they’re successful, and the data breach is not likely to result in serious harm, the organisation or agency doesn’t need to tell the individual about the data breach.’’

The OAIC is involved in the investigation into a massive hack of the Latitude buy-now, pay-later company, and has been involved in the response to the Medibank and Optus hacks.

As the nation’s peak privacy watchdog, it handles Australian privacy complaints, and oversees reviews of Freedom of Information request denials from large federal government agencies. On its website, it says it upholds the rights of the public to access government-held information, as well as the right to have personal information protected.

Leave a Reply